cnd equities strategy - carnegie mellon university · the cnd operator should think about what the...

4
CND Equities Strategy Jonathan M. Spring, Edward Stoner CERT ® Division, Software Engineering Institute Carnegie Mellon University [email protected] Publication CERTCC-2015-40 July 2015 1 Introduction The goal of computer network defense (CND) is to protect the system and ensure the organization operates resiliently under strain [1]. To succeed, the CND strat- egy must plan for adversary response to defensive measures. Part of this planning is strategic management of equities. In the security field, the word equities has a special meaning: information assets that provide an advantage over the adversary, especially where the owner is confident the adversary does not know of those assets. Examples of equities include a clandestine informant or details of adversary tools, tactics, or procedures (TTPs) that facilitate attribution [2], detection, or prevention [3]. To destroy or burn equities is to render information assets useless by disclosure to the adversary. To defend a network, the CND operator must reveal some information. When an operator blocks a command and control (C2) domain name or IP address, the adversary will almost certainly notice that their tool stops communicating. Like- wise with cleaning an infected system. So the question is not whether to reveal equities, but which equities to reveal and which to hold in reserve at what times to gain maximum advantage. We can use game theory to model this via infor- mation states [4], but this short paper will stick to a more friendly and informal discussion. CND methods can leverage either robust or fragile equities. Whether an equity is robust or fragile is based on a simple question: How will the adversary respond to learning of the information asset? An equity is robust if the adversaries must make expensive or difficult changes to their TTPs in response to the CND method despite gaining knowledge of the revealed information, and these changes are relatively easy for the operator to continue detecting. An equity is fragile if the adversaries can make a quick or simple change to their TTPs that will still allow them to reach their intrusion objective (financial gain, political gain, or damage [5, p. 15]), and this change in TTPs will be rela- tively hard for the CND operator to detect and update their information assets. A CND operator can and should use both robust and fragile equities. Fragile equities are not inherently worse. Fragile equities may be cheaper to maintain or used to gather intelligence without revealing them. The distinction between fragile and robust equities is relevant when determining what to block, share with trusted parties, or publicize. The CND operator should think about what the adversary is going to do in response to CND methods and enact those methods that will force a favorable TTP change by the adversary. The following examples demonstrate this point. ©2015 Carnegie Mellon University

Upload: trantuong

Post on 12-Sep-2018

214 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CND Equities Strategy - Carnegie Mellon University · The CND operator should think about what the adversary is going to do in response to CND methods and enact those methods that

CND Equities Strategy

Jonathan M. Spring, Edward StonerCERT® Division, Software Engineering Institute

Carnegie Mellon [email protected]

Publication CERTCC-2015-40

July 2015

1 IntroductionThe goal of computer network defense (CND) is to protect the system and ensurethe organization operates resiliently under strain [1]. To succeed, the CND strat-egy must plan for adversary response to defensive measures. Part of this planningis strategic management of equities.

In the security field, the word equities has a special meaning: informationassets that provide an advantage over the adversary, especially where the owneris confident the adversary does not know of those assets. Examples of equitiesinclude a clandestine informant or details of adversary tools, tactics, or procedures(TTPs) that facilitate attribution [2], detection, or prevention [3]. To destroy orburn equities is to render information assets useless by disclosure to the adversary.

To defend a network, the CND operator must reveal some information. Whenan operator blocks a command and control (C2) domain name or IP address, theadversary will almost certainly notice that their tool stops communicating. Like-wise with cleaning an infected system. So the question is not whether to revealequities, but which equities to reveal and which to hold in reserve at what timesto gain maximum advantage. We can use game theory to model this via infor-mation states [4], but this short paper will stick to a more friendly and informaldiscussion.

CND methods can leverage either robust or fragile equities. Whether an equityis robust or fragile is based on a simple question:

How will the adversary respond to learning of the information asset?

An equity is robust if the adversaries must make expensive or difficult changesto their TTPs in response to the CND method despite gaining knowledge of therevealed information, and these changes are relatively easy for the operator tocontinue detecting.

An equity is fragile if the adversaries can make a quick or simple change totheir TTPs that will still allow them to reach their intrusion objective (financialgain, political gain, or damage [5, p. 15]), and this change in TTPs will be rela-tively hard for the CND operator to detect and update their information assets.

A CND operator can and should use both robust and fragile equities. Fragileequities are not inherently worse. Fragile equities may be cheaper to maintainor used to gather intelligence without revealing them. The distinction betweenfragile and robust equities is relevant when determining what to block, share withtrusted parties, or publicize.

The CND operator should think about what the adversary is going to do inresponse to CND methods and enact those methods that will force a favorableTTP change by the adversary. The following examples demonstrate this point.

©2015 Carnegie Mellon University

Page 2: CND Equities Strategy - Carnegie Mellon University · The CND operator should think about what the adversary is going to do in response to CND methods and enact those methods that

Equities Strategy CERT/CC

2 ExamplesThe following are examples of well-known CND methods. For each example, weanswer the question presented in Section 1, “How will the adversary respond?”and analyze the answer to describe why each example is either robust or frag-ile. Since these examples are well known, we generally do not have to speculateabout adversary responses, but we can use past experience to confirm our expecta-tions. Robust examples are blocking scanning IP addresses and blocking fast-fluxdomain networks. A fragile example is relying on access to cleartext for IDS(Intrusion Detection System) signatures.

2.1 Robust Detection EquitiesScanning is behavior seeking information about a target by sending probing traf-fic [6, see: probe]. Effective tools are free and open source [7]. Although itis cheap, an adversary usually needs to scan many locations. Most scanning isbrute-force: just try everything. Therefore, an adversary wants to scan quicklyand at high volume, otherwise the scan will not finish in a useful amount of timeand intrusion objectives will not be met.

How will an adversary respond if the CND operator blocks scanning IPs orpublishes scanning IPs? The adversary’s scanning technique will have to changeto avoid detection. Detection is usually based on a combination of packet con-tents, traffic volume, and source addresses. There are many well-known scansthat use malformed packets, but if they are blocked then the adversary cannotlearn anything using these scans. The adversary cannot change TTPs to gain thesame information in many cases; blocking such malformed packets uses robustequities (the information asset is the list of malformed packet patterns).

Many scans use well-formed packets, but in high volume from a small set ofsources. If the defender blocks these sources and publishes them so others canalso prevent scans from them, then the adversary must reduce their scanning rateto avoid detection. The information asset that could be blocked and/or shared inthis case is source IP addresses that commit suspicious scans. This response un-dermines the adversary’s goal, as scans will not complete in a useful amount oftime. Adversaries could still scan certain targets slowly, but defenders continu-ally improve their scan detection and further reduce adversary scan throughput byfurther blocking and publishing the offending sources, and therefore is robust.

Fast-flux networks are service delivery networks that change DNS entries quicklyto provide reliable service to malicious networks [8]. The individual domains orIP addresses in a fast-flux network are fragile equities: the adversary has built inthe ability to cheaply change them. However, the defender can detect a fast-fluxnetwork per se and prevent communications using any fast-flux network [9]. Theinformation asset of detecting fast-flux behavior is robust. The detection dependson quick DNS changes, so the adversary’s only response is to slow down or avoidthe DNS. Slowing down makes their delivery network more fragile, which is fa-vorable to the defender. Avoiding the DNS requires major redevelopment of stableinfrastructure, which also favors the defender.1

2.2 Fragile Detection EquitiesA network-based IDS often relies on signatures to detect suspicious traffic [3].Signatures are not inherently either fragile or robust. However, an instructiveexample comes from the case of signatures relying on specific patterns withinthe packet payload. Initially, malicious traffic was sent in cleartext – i.e., readilyreadable by any device that handled the network traffic. Defenders developed IDSsignatures based on patterns within this cleartext.

1Adversaries eventually learned to avoid the DNS via peer-to-peer networks; a discussion of de-tecting P2P traffic is beyond the scope of this paper.

CERTCC-2015-40 2

Page 3: CND Equities Strategy - Carnegie Mellon University · The CND operator should think about what the adversary is going to do in response to CND methods and enact those methods that

Equities Strategy CERT/CC

So, “how will the adversary respond?” Simply, the adversary encrypts the traf-fic so the cleartext is not visible. Sometimes the adversary uses standard encryp-tion suites like TLS (Transport Layer Security) and AES (Advanced EncryptionStandard), but what algorithm is used does not matter to the IDS signature. A triv-ial encryption like a Caesar cipher could be used, and the IDS signature would notwork unless the encryption is detected and broken before applying the signature.Breaking encryption does not scale for the defender, and applying encryption istrivial because so many open source libraries exist to do various methods. There-fore, IDS signatures of cleartext packet payloads are fragile equities.

3 ConclusionThe basic strategy for the CND operator has two parts. First, do not reveal fragileequities to the adversary. Second, for CND methods that reveal equities, createand use robust equities. In all cases, plan for how the adversary will respond todefensive measures.

AcknowledgementsCopyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by Department of HomelandSecurity under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for theoperation of the Software Engineering Institute, a federally funded research and develop-ment center sponsored by the United States Department of Defense.

Any opinions, findings and conclusions or recommendations expressed in this mate-rial are those of the author(s) and do not necessarily reflect the views of Department ofHomeland Security or the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWAREENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS.CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EI-THER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOTLIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIEMELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITHRESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGE-MENT.

This material has been approved for public release and unlimited distribution except asrestricted below.

Internal use:* Permission to reproduce this material and to prepare derivative worksfrom this material for internal use is granted, provided the copyright and “No Warranty”statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification,and freely distributed in written or electronic form without requesting formal permission.Permission is required for any other external and/or commercial use. Requests for permis-sion should be directed to the Software Engineering Institute at [email protected].

* These restrictions do not apply to U.S. government entities.Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of

Carnegie Mellon University.DM-0002601

References[1] Fisher D, Linger R, Lipson H, Longstaff T, Mead N, Ellison R. Surviv-

able Network Systems: An Emerging Discipline. Pittsburgh, PA: SoftwareEngineering Institute, Carnegie Mellon University; 1997. CMU/SEI-97-TR-013. Available from: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=12905.

CERTCC-2015-40 3

Page 4: CND Equities Strategy - Carnegie Mellon University · The CND operator should think about what the adversary is going to do in response to CND methods and enact those methods that

Equities Strategy CERT/CC

[2] Caltagirone S, Pendergast A, Betz C. The Diamond Model of Intrusion Analy-sis. Center for Cyber Intelligence Analysis and Threat Research; 2013. Avail-able from: http://www.threatconnect.com/methodology/diamond_model_of_intrusion_analysis.

[3] Scarfone K, Mell P. Guide to intrusion detection and prevention systems(IDPS). National Institute for Standards and Technology; 2007. 800-94.Available from: http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf.

[4] Spring JM. Toward Realistic Modeling Criteria of Games in Internet Security.Journal of Cyber Security & Information Systems. 2014;2(2):2–11. Availablefrom: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=312713.

[5] Howard JD, Longstaff TA. A common language for computer security inci-dents. Sandia National Laboratories; 1998. SAND98-8667. Available from:http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.31.4289.

[6] Shirey R. Internet Security Glossary, Version 2. IETF; 2007. RFC 4949 (In-formational). Available from: http://www.ietf.org/rfc/rfc4949.txt.

[7] Lyon GF. Nmap Network Scanning: The Official Nmap Project Guide ToNetwork Discovery And Security Scanning. Nmap Project; 2011.

[8] Salusky W, Danford R. Know Your Enemy: Fast-Flux Service Networks. TheHoneynet Project; 2007. Available from: http://www.honeynet.org/papers/ff/.

[9] Holz T, Gorecki C, Rieck K, Freiling FC. Measuring and Detecting Fast-Flux Service Networks. In: Proceedings of the 15th Annual Network andDistributed System Security Symposium; 2008. Available from: http://pi1.informatik.uni-mannheim.de/filepool/publications/fast-flux-ndss08.pdf.

CERTCC-2015-40 4